open-webui/backend/open_webui/utils/utils.py

import logging
import uuid
import jwt

from datetime import UTC, datetime, timedelta
from typing import Optional, Union, List, Dict


from open_webui.apps.webui.models.users import Users
from open_webui.apps.webui.models.groups import Groups

from open_webui.constants import ERROR_MESSAGES
from open_webui.env import WEBUI_SECRET_KEY


from fastapi import Depends, HTTPException, Request, Response, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from passlib.context import CryptContext

logging.getLogger("passlib").setLevel(logging.ERROR)


SESSION_SECRET = WEBUI_SECRET_KEY
ALGORITHM = "HS256"

##############
# Auth Utils
##############

bearer_security = HTTPBearer(auto_error=False)
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")


def verify_password(plain_password, hashed_password):
    return (
        pwd_context.verify(plain_password, hashed_password) if hashed_password else None
    )


def get_password_hash(password):
    return pwd_context.hash(password)


def create_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:
    payload = data.copy()

    if expires_delta:
        expire = datetime.now(UTC) + expires_delta
        payload.update({"exp": expire})

    encoded_jwt = jwt.encode(payload, SESSION_SECRET, algorithm=ALGORITHM)
    return encoded_jwt


def decode_token(token: str) -> Optional[dict]:
    try:
        decoded = jwt.decode(token, SESSION_SECRET, algorithms=[ALGORITHM])
        return decoded
    except Exception:
        return None


def extract_token_from_auth_header(auth_header: str):
    return auth_header[len("Bearer ") :]


def create_api_key():
    key = str(uuid.uuid4()).replace("-", "")
    return f"sk-{key}"


def get_http_authorization_cred(auth_header: str):
    try:
        scheme, credentials = auth_header.split(" ")
        return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials)
    except Exception:
        raise ValueError(ERROR_MESSAGES.INVALID_TOKEN)


def get_current_user(
    request: Request,
    auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
):
    token = None

    if auth_token is not None:
        token = auth_token.credentials

    if token is None and "token" in request.cookies:
        token = request.cookies.get("token")

    if token is None:
        raise HTTPException(status_code=403, detail="Not authenticated")

    # auth by api key
    if token.startswith("sk-"):
        return get_current_user_by_api_key(token)

    # auth by jwt token

    try:
        data = decode_token(token)
    except Exception as e:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid token",
        )

    if data is not None and "id" in data:
        user = Users.get_user_by_id(data["id"])
        if user is None:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail=ERROR_MESSAGES.INVALID_TOKEN,
            )
        else:
            Users.update_user_last_active_by_id(user.id)
        return user
    else:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.UNAUTHORIZED,
        )


def get_current_user_by_api_key(api_key: str):
    user = Users.get_user_by_api_key(api_key)

    if user is None:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.INVALID_TOKEN,
        )
    else:
        Users.update_user_last_active_by_id(user.id)

    return user


def get_verified_user(user=Depends(get_current_user)):
    if user.role not in {"user", "admin"}:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )
    return user


def get_admin_user(user=Depends(get_current_user)):
    if user.role != "admin":
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )
    return user


def has_permission(
    user_id: str,
    permission_key: str,
    default_permissions: Dict[str, bool] = {},
) -> bool:
    """
    Check if a user has a specific permission by checking the group permissions
    and falls back to default permissions if not found in any group.

    Permission keys can be hierarchical and separated by dots ('.').
    """

    def get_permission(permissions: Dict[str, bool], keys: List[str]) -> bool:
        """Traverse permissions dict using a list of keys (from dot-split permission_key)."""
        for key in keys:
            if key not in permissions:
                return False  # If any part of the hierarchy is missing, deny access
            permissions = permissions[key]  # Go one level deeper

        return bool(permissions)  # Return the boolean at the final level

    permission_hierarchy = permission_key.split(".")

    # Retrieve user group permissions
    user_groups = Groups.get_groups_by_member_id(user_id)

    for group in user_groups:
        group_permissions = group.permissions
        if get_permission(group_permissions, permission_hierarchy):
            return True

    # Check default permissions afterwards if the group permissions don't allow it
    return get_permission(default_permissions, permission_hierarchy)


def has_access(
    user_id: str,
    type: str = "write",
    access_control: Optional[dict] = None,
) -> bool:
    print("user_id", user_id, "type", type, "access_control", access_control)
    if access_control is None:
        return type == "read"

    user_groups = Groups.get_groups_by_member_id(user_id)
    user_group_ids = [group.id for group in user_groups]
    permission_access = access_control.get(type, {})
    permitted_group_ids = permission_access.get("group_ids", [])
    permitted_user_ids = permission_access.get("user_ids", [])

    return user_id in permitted_user_ids or any(
        group_id in permitted_group_ids for group_id in user_group_ids
    )
sort and fix backend imports 2024-08-27 22:10:27 +00:00			`import logging`
			`import uuid`
wip: access control backend 2024-11-15 09:29:07 +00:00			`import jwt`

sort and fix backend imports 2024-08-27 22:10:27 +00:00			`from datetime import UTC, datetime, timedelta`
wip: access control backend 2024-11-15 09:29:07 +00:00			`from typing import Optional, Union, List, Dict`

refac 2024-04-02 17:05:53 +00:00
refac: mv backend files to /open_webui dir 2024-09-04 14:54:48 +00:00			`from open_webui.apps.webui.models.users import Users`
wip: access control backend 2024-11-15 09:29:07 +00:00			`from open_webui.apps.webui.models.groups import Groups`

refac: mv backend files to /open_webui dir 2024-09-04 14:54:48 +00:00			`from open_webui.constants import ERROR_MESSAGES`
			`from open_webui.env import WEBUI_SECRET_KEY`
wip: access control backend 2024-11-15 09:29:07 +00:00

refac 2024-10-15 09:48:41 +00:00			`from fastapi import Depends, HTTPException, Request, Response, status`
sort and fix backend imports 2024-08-27 22:10:27 +00:00			`from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer`
			`from passlib.context import CryptContext`
feat: multi-user support w/ RBAC 2023-11-19 00:47:12 +00:00
chore: disable passlib log 2024-01-05 20:22:27 +00:00			`logging.getLogger("passlib").setLevel(logging.ERROR)`


feat: config.json db migration 2024-08-25 14:52:36 +00:00			`SESSION_SECRET = WEBUI_SECRET_KEY`
feat: multi-user support w/ RBAC 2023-11-19 00:47:12 +00:00			`ALGORITHM = "HS256"`

			`##############`
			`# Auth Utils`
			`##############`

enh: cookie auth 2024-06-19 21:38:09 +00:00			`bearer_security = HTTPBearer(auto_error=False)`
feat: multi-user support w/ RBAC 2023-11-19 00:47:12 +00:00			`pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")`


			`def verify_password(plain_password, hashed_password):`
chore: disable passlib log 2024-01-05 20:22:27 +00:00			`return (`
			`pwd_context.verify(plain_password, hashed_password) if hashed_password else None`
			`)`
feat: multi-user support w/ RBAC 2023-11-19 00:47:12 +00:00

			`def get_password_hash(password):`
			`return pwd_context.hash(password)`


chore: disable passlib log 2024-01-05 20:22:27 +00:00			`def create_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:`
feat: multi-user support w/ RBAC 2023-11-19 00:47:12 +00:00			`payload = data.copy()`

			`if expires_delta:`
$USIGLOBAL\daniel_tsai$ fix: DeprecationWarning for datetime.utcnow() by using datetime.now(UTC) 2024-08-22 07:12:40 +00:00			`expire = datetime.now(UTC) + expires_delta`
feat: multi-user support w/ RBAC 2023-11-19 00:47:12 +00:00			`payload.update({"exp": expire})`

Start by renaming variables to something more generic. This will give us a bit more flexibility as we look to other session management mechanisms. 2024-02-01 19:40:59 +00:00			`encoded_jwt = jwt.encode(payload, SESSION_SECRET, algorithm=ALGORITHM)`
feat: multi-user support w/ RBAC 2023-11-19 00:47:12 +00:00			`return encoded_jwt`


			`def decode_token(token: str) -> Optional[dict]:`
			`try:`
Call `jwt.decode` with the expected algorithms 2024-02-01 20:52:46 +00:00			`decoded = jwt.decode(token, SESSION_SECRET, algorithms=[ALGORITHM])`
feat: multi-user support w/ RBAC 2023-11-19 00:47:12 +00:00			`return decoded`
refac: apps/openai/main.py and utils 2024-08-03 13:24:26 +00:00			`except Exception:`
feat: multi-user support w/ RBAC 2023-11-19 00:47:12 +00:00			`return None`


			`def extract_token_from_auth_header(auth_header: str):`
chore: disable passlib log 2024-01-05 20:22:27 +00:00			`return auth_header[len("Bearer ") :]`
feat: multi-user support w/ RBAC 2023-11-19 00:47:12 +00:00

backend support api key 2024-03-26 10:22:17 +00:00			`def create_api_key():`
			`key = str(uuid.uuid4()).replace("-", "")`
			`return f"sk-{key}"`


feat: secure litellm api 2024-02-24 06:44:56 +00:00			`def get_http_authorization_cred(auth_header: str):`
			`try:`
			`scheme, credentials = auth_header.split(" ")`
fix: 'dict' object issue 2024-02-25 06:10:43 +00:00			`return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials)`
refac: apps/openai/main.py and utils 2024-08-03 13:24:26 +00:00			`except Exception:`
feat: secure litellm api 2024-02-24 06:44:56 +00:00			`raise ValueError(ERROR_MESSAGES.INVALID_TOKEN)`


fix: admin issue 2024-02-11 01:54:33 +00:00			`def get_current_user(`
enh: cookie auth 2024-06-19 21:38:09 +00:00			`request: Request,`
fix: admin issue 2024-02-11 01:54:33 +00:00			`auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),`
			`):`
fix 2024-06-19 21:49:35 +00:00			`token = None`
enh: cookie auth 2024-06-19 21:38:09 +00:00
			`if auth_token is not None:`
			`token = auth_token.credentials`

fix 2024-06-19 21:49:35 +00:00			`if token is None and "token" in request.cookies:`
			`token = request.cookies.get("token")`

			`if token is None:`
			`raise HTTPException(status_code=403, detail="Not authenticated")`

backend support api key 2024-03-26 10:22:17 +00:00			`# auth by api key`
enh: cookie auth 2024-06-19 21:38:09 +00:00			`if token.startswith("sk-"):`
feat(sqlalchemy): remove session reference from router 2024-06-21 12:58:57 +00:00			`return get_current_user_by_api_key(token)`
enh: cookie auth 2024-06-19 21:38:09 +00:00
backend support api key 2024-03-26 10:22:17 +00:00			`# auth by jwt token`
refac: token handling 2024-11-06 05:14:02 +00:00
			`try:`
			`data = decode_token(token)`
			`except Exception as e:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Invalid token",`
			`)`

refac: apps/openai/main.py and utils 2024-08-03 13:24:26 +00:00			`if data is not None and "id" in data:`
feat(sqlalchemy): remove session reference from router 2024-06-21 12:58:57 +00:00			`user = Users.get_user_by_id(data["id"])`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 10:53:33 +00:00			`if user is None:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.INVALID_TOKEN,`
feat: multi-user support w/ RBAC 2023-11-19 00:47:12 +00:00			`)`
feat: user last active 2024-04-27 23:38:51 +00:00			`else:`
feat(sqlalchemy): remove session reference from router 2024-06-21 12:58:57 +00:00			`Users.update_user_last_active_by_id(user.id)`
refac: remove the verify_token and use get-current user for auth+user 2024-01-01 08:55:50 +00:00			`return user`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 10:53:33 +00:00			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.UNAUTHORIZED,`
			`)`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00
chore: formatting 2024-04-02 16:42:45 +00:00
feat(sqlalchemy): some fixes 2024-06-24 11:45:33 +00:00			`def get_current_user_by_api_key(api_key: str):`
			`user = Users.get_user_by_api_key(api_key)`
feat: user last active 2024-04-27 23:38:51 +00:00
backend support api key 2024-03-26 10:22:17 +00:00			`if user is None:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.INVALID_TOKEN,`
			`)`
feat: user last active 2024-04-27 23:38:51 +00:00			`else:`
feat(sqlalchemy): some fixes 2024-06-24 11:45:33 +00:00			`Users.update_user_last_active_by_id(user.id)`
feat: user last active 2024-04-27 23:38:51 +00:00
backend support api key 2024-03-26 10:22:17 +00:00			`return user`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00
chore: formatting 2024-04-02 16:42:45 +00:00
fix: admin issue 2024-02-11 01:54:33 +00:00			`def get_verified_user(user=Depends(get_current_user)):`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00			`if user.role not in {"user", "admin"}:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
			`)`
fix: admin issue 2024-02-11 01:54:33 +00:00			`return user`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00

fix: admin issue 2024-02-11 01:54:33 +00:00			`def get_admin_user(user=Depends(get_current_user)):`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00			`if user.role != "admin":`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
			`)`
fix: admin issue 2024-02-11 01:54:33 +00:00			`return user`
wip: access control backend 2024-11-15 09:29:07 +00:00

			`def has_permission(`
			`user_id: str,`
			`permission_key: str,`
			`default_permissions: Dict[str, bool] = {},`
			`) -> bool:`
			`"""`
			`Check if a user has a specific permission by checking the group permissions`
			`and falls back to default permissions if not found in any group.`

			`Permission keys can be hierarchical and separated by dots ('.').`
			`"""`

			`def get_permission(permissions: Dict[str, bool], keys: List[str]) -> bool:`
			`"""Traverse permissions dict using a list of keys (from dot-split permission_key)."""`
			`for key in keys:`
			`if key not in permissions:`
			`return False # If any part of the hierarchy is missing, deny access`
			`permissions = permissions[key] # Go one level deeper`

			`return bool(permissions) # Return the boolean at the final level`

			`permission_hierarchy = permission_key.split(".")`

			`# Retrieve user group permissions`
			`user_groups = Groups.get_groups_by_member_id(user_id)`

			`for group in user_groups:`
			`group_permissions = group.permissions`
			`if get_permission(group_permissions, permission_hierarchy):`
			`return True`

			`# Check default permissions afterwards if the group permissions don't allow it`
			`return get_permission(default_permissions, permission_hierarchy)`


			`def has_access(`
			`user_id: str,`
refac 2024-11-16 12:41:07 +00:00			`type: str = "write",`
wip: access control backend 2024-11-15 09:29:07 +00:00			`access_control: Optional[dict] = None,`
			`) -> bool:`
refac 2024-11-16 12:41:07 +00:00			`print("user_id", user_id, "type", type, "access_control", access_control)`
wip: access control backend 2024-11-15 09:29:07 +00:00			`if access_control is None:`
refac 2024-11-16 12:41:07 +00:00			`return type == "read"`
wip: access control backend 2024-11-15 09:29:07 +00:00
			`user_groups = Groups.get_groups_by_member_id(user_id)`
			`user_group_ids = [group.id for group in user_groups]`
refac 2024-11-16 12:41:07 +00:00			`permission_access = access_control.get(type, {})`
wip: access control backend 2024-11-15 09:29:07 +00:00			`permitted_group_ids = permission_access.get("group_ids", [])`
			`permitted_user_ids = permission_access.get("user_ids", [])`

			`return user_id in permitted_user_ids or any(`
			`group_id in permitted_group_ids for group_id in user_group_ids`
			`)`